1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Controller" (or "Controller") means the customer who determines the purposes and means of Processing Personal Data.
- "Data Processor" (or "Processor") means Media Luna, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "SCCs" means the Standard Contractual Clauses adopted by the European Commission.
2. Scope & Roles
2.1 Roles
For the purposes of this DPA and applicable data protection laws:
- The Customer is the Data Controller for Personal Data processed through Media Luna's services.
- Media Luna acts as a Data Processor, processing Personal Data solely on behalf of and under the instructions of the Controller.
2.2 Scope of Processing
This DPA applies to all Personal Data processed by Media Luna in providing the uptime monitoring services, including:
- Account user data (names, email addresses, roles)
- Monitor configurations that may contain hostnames or IP addresses
- Monitoring results and incident data
- Notification delivery metadata
- Billing contact information
3. Data Processing Instructions
3.1 Controller's Instructions
The Processor shall process Personal Data only in accordance with the Controller's documented instructions, which include:
- Providing the monitoring service as described in the service agreement
- Executing health checks against configured endpoints
- Storing monitoring results and generating incident reports
- Delivering notifications through configured channels
- Processing billing and subscription management
3.2 Limitation of Processing
The Processor shall not:
- Process Personal Data for any purpose other than providing the services
- Sell, rent, or otherwise commercialize Personal Data
- Combine Personal Data with data from other controllers without explicit consent
- Transfer Personal Data to third parties except as described in this DPA
4. Sub-processors
4.1 Authorized Sub-processors
The Controller authorizes the use of the following categories of sub-processors:
| Sub-processor |
Purpose |
Location |
| Amazon Web Services (AWS) |
Cloud infrastructure, database hosting, compute |
US / EU (configurable) |
| Stripe, Inc. |
Payment processing, subscription management |
US (certified under EU-US DPF) |
| Transactional email provider |
Email notification delivery |
US / EU |
| Twilio, Inc. |
SMS notification delivery |
US (certified under EU-US DPF) |
4.2 Changes to Sub-processors
The Processor shall notify the Controller at least 30 days in advance of any changes to sub-processors. The Controller may object to a new sub-processor by notifying the Processor within 14 days. If the objection cannot be resolved, the Controller may terminate the affected services.
4.3 Sub-processor Obligations
The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA, including requirements for confidentiality, security, and compliance with the Controller's instructions.
5. Security Measures
The Processor implements and maintains the following technical and organizational measures to protect Personal Data:
5.1 Encryption
- Data in transit: TLS 1.2+ for all communications
- Data at rest: AES-256 encryption for databases and storage volumes
- Sensitive fields: Additional application-level encryption for authentication credentials and API keys
5.2 Access Control
- Role-based access control (RBAC) with principle of least privilege
- Multi-tenant data isolation at the database query level (all queries filtered by account_id)
- Two-factor authentication (TOTP) available for all user accounts
- Scoped API keys with granular permissions
5.3 Infrastructure Security
- Network isolation using VPCs and security groups
- Automated vulnerability scanning and dependency updates
- Security headers (HSTS, CSP, X-Frame-Options)
- Rate limiting and DDoS protection
5.4 Operational Security
- Structured JSON logging with request tracing
- Automated log rotation with 90-day retention
- Incident response procedures with defined escalation paths
- Regular backup procedures with tested restoration
6. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests, including:
- Right of Access: Self-service data export available via the dashboard (Settings → Account → Export My Data)
- Right to Rectification: Users can update their personal data via account settings
- Right to Erasure: Account deletion permanently removes all associated data via CASCADE deletion
- Right to Data Portability: Data export in machine-readable JSON format via the API
- Right to Restrict Processing: Monitors can be paused; notification channels can be disabled
The Processor shall respond to Data Subject requests within 72 hours and shall notify the Controller of any requests received directly.
7. Data Breach Notification
7.1 Notification Timeline
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide initial assessment including nature of the breach and approximate number of data subjects affected
- Provide regular updates as the investigation progresses
7.2 Notification Content
The breach notification shall include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details for the Processor's data protection point of contact
8. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA):
- Transfers to countries with an adequate level of protection are permitted under GDPR Article 45
- For other transfers, the parties agree to enter into the EU Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914
- Sub-processors in the US are certified under the EU-US Data Privacy Framework where applicable
- Supplementary measures (encryption, access controls, contractual commitments) are applied where necessary based on transfer impact assessments
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA:
- Audits may be conducted up to once per year with 30 days' written notice
- The Processor shall provide reasonable cooperation and access to relevant documentation
- Remote audits (document review, questionnaires) are preferred; on-site audits available for Enterprise plans
- The Processor may satisfy audit requests by providing certifications, audit reports, or equivalent third-party assessments (e.g., SOC 2)
10. Data Retention & Deletion
10.1 During the Agreement
Personal Data is retained in accordance with the Controller's subscription plan settings and any specific retention instructions.
10.2 Upon Termination
Upon termination of the service agreement:
- The Controller may export all data within 30 days of termination
- After the 30-day export window, all Personal Data will be permanently deleted
- The Processor will confirm deletion in writing upon request
- Backup copies will be purged within 90 days of deletion
- Billing records are retained for 7 years as required by applicable law
11. Term & Termination
This DPA is effective for the duration of the service agreement between the parties. It terminates automatically when:
- The service agreement expires or is terminated
- All Personal Data has been deleted or returned to the Controller
Sections relating to confidentiality, liability, and data deletion obligations survive termination.
12. Contact
For questions about this DPA or to exercise rights under it: